Security - what you need to know

The security of your data and personal information is of utmost importance to us. We work really hard to ensure that your data is kept safe. In this overview, we outline the ways you can help maintain the security of your own account as well as the steps we take to protect it.

Do you have a security issue you'd like to report to us? Email us on [email protected]. We'll respond promptly.

In this user guide

Bank feed security

PocketSmith does not directly connect with your bank to sync your accounts and transactions. Instead, we use a bank feed provider called Yodlee to help us out. They've been in the industry since 1999, and are held in high regard. 11 of the largest U.S banks trust Yodlee for their services too.

How you can protect yourself

Increased security with two-factor authentication (2FA)

Use two-factor authentication to add an extra layer of security to your account. With 2FA, your account is protected by something you know (your password) and something you have (your phone). When you log in, you'll be prompted to enter a one-time code generated by your phone. Even if someone found out your password, they won't be able to access your account.

View your login history

In your PocketSmith settings ( Settings > Security) you can view login history for your account. If you spot any suspicious activity, ensure your devices are secure and change your password immediately.

How we protect you

Your connection to PocketSmith

Your connection to PocketSmith is always encrypted. That means that nobody is able to intercept your communication with us. This is especially important if you're using PocketSmith on a public WiFi network. Our transport security implementation was given an A+ rating (as of June 2017) by SSL Labs, which you can access here: https://www.ssllabs.com/ssltest/analyze.html?d=my.pocketsmith.com.

Data security

Your data is stored on our own physical servers and is encrypted at rest at the device level. This means if someone was able to access the data centre where the servers operate, they'd be unable to retrieve any data from them.

We don't encrypt fields in the database because it wouldn't be any more secure. Our application would need to decrypt those, and to do that it would have to possess the decryption key. If a bad actor broke into an application server, they could just get that decryption key and render the whole scheme useless.

Your password is not stored in the clear, instead it is hashed with the bcrypt algorithm and then stored. This hash cannot be reversed into your actual password.

Application and network security

We have a team of highly skilled engineers who work on PocketSmith. We have a strong culture of peer review to make sure the code we write is robust and secure. We regularly revisit components of the app and harden them.

We use Cloudflare to help thwart common attacks at the network edge, as well as protection from DDoS attacks.

Physical hardware security

Our servers are protected by various physical security measures, managed by the folks who run the data center.